On Fri, 23 Sep 2016, Deepak Dimri wrote:
Hi Alexander, I am using AWS to do a pilot on freeIPA & unfortunately
AWS does not provide fedora or centos as part of its freetier setup so
i have to live with ubuntu, redhat , suse etc. I have same problem
with ubuntu and redhat though!
CentOS 7 is available and eligible for free tier:
https://aws.amazon.com/marketplace/pp/B00O7WM7QW
Just one basic question.. what are the steps i should be following to
make it work assuming i am trying on centos or fedora
Literally what you describe in your setup, except that 'passwod:pam'
seems to be broken in OpenSSH -- given that you are using PAM already
for password checks, removing :pam should just work. It works for me
with
Match Group twofa
AllowGroups twofa
AuthenticationMethods publickey,password publickey,keyboard-interactive
as the last statement in the sshd_config.
Sep 23 11:55:50 f24-master.ipa.ad.test sshd[2965]: debug3:
monitor_child_preauth: method publickey: partial
...
Sep 23 11:56:07 f24-master.ipa.ad.test sshd[2965]: debug3: PAM:
sshpam_passwd_conv called with 2 messages
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test:
request received
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: user
query start
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: user
query end: uid=foobar,cn=users,cn=accounts,dc=ipa,dc=ad,dc=test
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: bind
start: uid=foobar,cn=users,cn=accounts,dc=ipa,dc=ad,dc=test
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: bind
end: success
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test:
response sent: Access-Accept
Sep 23 11:56:10 f24-master.ipa.ad.test audit[2965]: USER_AUTH pid=2965 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication
grantors=pam_succeed_if,pam_sss acct="foobar" exe="/usr/sbin/sshd"
hostname=192.168.5.136 addr=192.168.5.136 terminal=ssh res=success'
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.5.136 user=foobar
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug1: PAM: password
authentication accepted for foobar
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3:
mm_answer_authpassword: sending result 1
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_send
entering: type 13
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: auth2_update_methods_lists:
updating methods list after "password"
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug2: authentication
methods list 0 complete
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3:
mm_request_receive_expect entering: type 102
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_receive
entering
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug1: do_pam_account:
called
Sep 23 11:56:12 f24-master.ipa.ad.test audit[2965]: USER_ACCT pid=2965 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting
grantors=pam_unix,pam_sss,pam_permit acct="foobar" exe="/usr/sbin/sshd"
hostname=192.168.5.136 addr=192.168.5.136 terminal=ssh res=success'
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug3: PAM: do_pam_account
pam_acct_mgmt = 0 (Success)
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_send
entering: type 103
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: Accepted password for foobar
from 192.168.5.136 port 33466 ssh2
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug1:
monitor_child_preauth: foobar has been authenticated by privileged process
The first line above says that publickey method was successful but not
enough to allow login (partial) because password is also required. The
client got a request to enter password+OTP value. As you can see the user is
only
allowed to login with an OTP token.
$ ssh foobar@192.168.5.117
foobar@192.168.5.117's password:
Last login: Fri Sep 23 11:49:17 2016
-sh-4.3$ id
uid=903200044(foobar) gid=903200044(foobar)
groups=903200044(foobar),903200046(twofa)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.3$ klist
Ticket cache: KEYRING:persistent:903200044:krb_ccache_Dk553LV
Default principal: foo...@ipa.ad.test
Valid starting Expires Service principal
09/23/2016 11:56:08 09/24/2016 11:56:08 krbtgt/ipa.ad.t...@ipa.ad.test
-sh-4.3$ ipa user-show foobar
User login: foobar
First name: Test
Last name: Foo
Home directory: /home/foobar
Login shell: /bin/sh
Principal name: foo...@ipa.ad.test
Principal alias: foo...@ipa.ad.test
Email address: foo...@ipa.ad.test
UID: 903200044
GID: 903200044
User authentication types: otp
Account disabled: False
Password: True
Member of groups: twofa, ipausers
Kerberos keys available: True
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project